Automatic Software Verification Instructor: Mooly

Transcript:Automatic Software Verification Instructor: Mooly:
Automatic Software Verification Instructor: Mooly Sagiv TA: Oded Padon Slides from Eran Yahav and the Noun Project, Wikipedia Course Requirements Summarize one lecture 10% one lecture notes 45% homework assignment 45% exam/project Inspired by Other Courses CS395T: Automated Logical Reasoning (UT Austin) Isil Dillig SAT/SMT Solver and Applications Graduate Seminar W2013 University of Waterloo (Vijay Ganesh) Software is Everywhere Software is Everywhere Exploitable Exploitable Software is Everywhere The Sony PlayStation Network breach: An identity-theft bonanza Massive Sony PlayStation data breach puts about 77 million people at higher risk of fraud (April 2011) RSA hacked, information leaks RSA's corporate network suffered what RSA describes as a successful advanced persistent threat attack, and "certain information" was stolen that can somehow affect the security of SecurID authentication (March 2011) Stuxnet Worm Still Out of Control at Iran's Nuclear Sites, Experts Say The Stuxnet worm, named after initials found in its code, is the most sophisticated cyberweapon ever created. (December 2010) Security Advisory for Adobe Flash Player, Adobe Reader and Acrobat This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment. (March 2011) RSA tokens may be behind major network security problems at Lockheed Martin Lockheed Martin remote access network, protected by SecurID tokens, has been shut down (May 2011) da return address Buffer Overrun void foo (char *x) { char buf[2]; strcpy(buf, x); } int main (int argc, char *argv[]) { foo(argv[1]); } memory Saved FP char* x buf[2] … ab ra ca > ./a.out abracadabra Segmentation fault terminal source code foo strcpy main Buffer Overrun Exploits int check_authentication(char *password) { int auth_flag = 0; char password_buffer[16]; strcpy(password_buffer, password); if(strcmp(password_buffer, "brillig") == 0) auth_flag = 1; if(strcmp(password_buffer, "outgrabe") == 0) auth_flag = 1; return auth_flag; } int main(int argc, char *argv[]) { if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else printf("\nAccess Denied.\n"); } (source: “hacking – the art of exploitation, 2nd Ed”) Attack Application evil input AAAAAAAAAAAA -=-=-=-=-=-=-=-=-=-=-=-=-=- Access Granted. 65 -=-=-=-=-=-=-=-=-=-=-=-=-=- Automatic Program Verification Desired Properties  Solver Is there a behavior of P that violates ? Counterexample Proof Program P Example int check_authentication(char *password) { int auth_flag = 0; char password_buffer[16]; strcpy(password_buffer, password); if(strcmp(password_buffer, "brillig") == 0) auth_flag = 1;